Overview

I would like to have a satellite 6.newest server to showcase common Satellite usecases. So the idea is to have a quick but flexible way to set up a Satellite 6.x server from scratch.

Goal

The idea is to get most parts somehow automated (but still not very flexible). In this blog i’m relying on shell scripting for the main Satellite configuration part, as the well known “hammer” command is a shell command. The script will stop when run into an error. If the error is fixed and you rerun the script it will skip over any task fulfilled already. There are some pre-configuration tasks done through Ansible though.

The server we set up is “owning” it’s own subnet, on which dhco, tftp and domain name resolution is fully under control of the satellite server. This means, there will be no conflicts e.g. with network wide dhcp servers.

Solution

Important Words on name resolution:

Satellite 6 needs to have a forward and reverse records for it’s own hostname (bound to the interface of the deployment network) in place before starting satellite-install in order to get the certificates set up correctly.

You will want to achieve the following:

 

  1. assure DNS forward and reverse lookup for the hostname of your server
  2. assure the resolved ip corresponds to the interface which points to the network of the clients
  3. assure no other ip address will resolve to the same name
  4. assure no other name resolves to the same ip address

If you do not take this serious enough, you might run into trouble when rolling out some servers. They might not register with subscription management. (internal server error).

The Demo Satellite server, will have it’s own (very private) network interface (for deployment) delivering DNS, DHCP, tfp and so forth for that network.

The Satellite-DNS server will resolve it’s own name and be master over the whole network configuration. satellite-install will be given all directives to configure DNS zones and dhcp ranges.

This brings us into a chicken-egg issue:

The dns-server will be in place after satellite-install has run and only thereafter you can add the records for the satellite itself, but satellite-install also needs the dns in place before hand otherwise the certificates will be wrong.

The approach which should work:

  1. on the satellite host
    1. put it’s hostname and the private ip in /etc/hosts
    2. set up resolv.conf to work with official nameserver (otherwise subscription-manager and yum won’t work)
  2. install satellite-packages and install satellite (with satellite-insall sript)
    1. this should bring your local DNS server for your (private) domain and your subnet
    2. the local DNS-server should forward request to official nameservers
  3. add satellite host to your local DNS server
  4. reconfigure your resolver to only ask localhost
  5. continue with satellite configuration (mostly via hammer)

System to deploy on

The system we deploy on can be virtual or physical. It needs connectivety to the Red Hat CDN and needs a “local” subnet”

I installed RHEL 7.2 on a virtual machine .

Memory: 16 GB are recommended for Satellite.

Storage

I set up a default sized VM which brings 100 GB Boot-Volume. As Satellite is very disk-space hungry i added a second 400 GB volume – meant for /var/lib.

Networking interfaces

I have a private VLAN attached to the VM with a subnet 172.24.101.0/24. Which can be used to deploy hosts and where i am able to run dhcp et all. The satellite nevertheless needs an interface in the rhevm – network to be reached from the outside world.

I configured the server to use dhcp (address only) on eth0 on rhevm network.

And i configured a static ip on the private VLAN. Important: eth1 must deactivate “default route”

installation/configuration of OS

I specified to boot from RHEL 7.2 DVD iso. In the grub menu i added to the default install item the following parameter:

inst.ks=https://raw.githubusercontent.com/mschreie/coe_sat62/master/anaconda-ks.cfg

which pulls in some definitions on how to install, so that things get kind of unattanded (except of providing the parameter).

Hint: You need to retype this as i found no way to cut&paste into the RHEV-provided VM-Console…

But it does save quit some manual work and prevents mistakes.

For reference:
Storage
I set up filesystems as follows:

/ 50 GB
/home no separate volume, no separate filesystem
/var/lib 250 GB on separate volume group on separate volume leaving 150 GB for growth)

Networking interfaces

I set up eth0 to use dhcp and eth1 to have a static ip on my private vlan.

Disabled ipv6 on all devices. Disabled change of resolv.conf via dhcp.

Config needs to looks like this in the end:

eth0: DHCP (address only), attach automatically
eth1: manual, attach automatically
     IP: 172.24.101.3/24 (note it is .3 now!)
     router: 172.24.101.253
no DNS configured
HOSTNAME: msisat62.example.com

Looking at the files (and correcting them if neccessary):

[root@msisat62 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE="Ethernet"
BOOTPROTO="dhcp"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="no"
NAME="eth0"
UUID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
DEVICE="eth0"
ONBOOT="yes"
PEERDNS="no"
PEERROUTES="yes"

 

[root@msisat62 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=no
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME=eth1
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
DEVICE=eth1
ONBOOT=yes
IPADDR=172.24.101.3
PREFIX=24
GATEWAY=172.24.101.253

Preparation – done through Ansible

Disclaimer: With this project i used /etc/ansible as main project path, which i would not do so today and which i would not recommend. As paths are coded in on many places i did not want to change this without good testing. I therefor leave the unpleasant paths the way they work.

[mschreie@mschreie coe]$ ssh-copy-id root@msisat62

I added to Ansibles inventory file ( /etc/ansible/hosts):

[coe]
msisat62 ansible_user=root

As i do grep the output of some commands it is essential to be in the expected language. In /etc/ansible/ansible.cfg i assured this:

[defaults]
#module_lang = C
module_lang = en_US.UTF-8

I stored the secrets on how to reach cdn in a separate encrypted vault file.

[root@mschreie coe]# ansible-vault create secret.yml
cdnuser: myusername
cdnpass: mypassword

The Playbook itself can be downloaded like this:

[mschreie@mschreie ~ ]$ cd /etc/ansible/coe/
[mschreie@mschreie coe]$ wget https://github.com/mschreie/coe_sat62/raw/master/secret.yml
[mschreie@mschreie coe]$ wget https://github.com/mschreie/coe_sat62/raw/master/satellite_install.yml
[mschreie@mschreie coe]$ cd /etc/ansible/templates/
[mschreie@mschreie templates]$ wget https://github.com/mschreie/coe_sat62/raw/master/resolv.conf.j2
 
[mschreie@mschreie templates]$ cd /etc/ansible/coe/

I then ran:

[mschreie@mschreie coe]$ ansible-playbook -vv satellite_install.yml --ask-vault-pass
Using /etc/ansible/ansible.cfg as config file
Vault password:
Loaded callback default of type stdout, v2.0
....

Installation – shell script part

I used the Book of Adrian Bradshaw Introduction · Getting Started with Satellite 6 Command Line  to set up my satellite server. I put all commands in a shell script. Up to now this script is very unspectacular: no big intelligence or algorithm inside.

I added some mechanism for logging and to stop at error – so that the script won’t mess up any further. These mechanisms work pretty well but are not tested throughout. Feedback welcome 😉

I’ve separated Script and configuration:

First you find the configuration:

[root@msisat62 ~]# wget https://raw.githubusercontent.com/mschreie/coe_sat62/master/satenv.sh

and the script itself:

[root@msisat62 ~]# wget https://raw.githubusercontent.com/mschreie/coe_sat62/master/satellite_setup.sh

Please find some explanation:

  1. Commands really changing setup are wrapped with a doit – function (as mentioned above)
  2. This function puts each correctly executed command in a donefile. The doit function also exits the script when a command returned with error. This gives you the chance to correct the issue before everything is messed up. When rerunning the script will skip all commands found in the donefile. You can safely rerun the script and it continues exactly where it stopped before.
  3. all output should be seen on the screen and in a logfile called $0.log

To run the script simply call:

[root@msisat62 ~]# vi satenv.sh
[root@msisat62 ~]# bash satellite_setup.sh

Explanation on the satellite-installer cmd:

satellite-installer --scenario satellite \
   --foreman-proxy-dhcp true \
   --foreman-proxy-dhcp-interface eth1 \
   --foreman-proxy-dhcp-range "$RANGEFROM $RANGETO" \
   --foreman-proxy-dhcp-nameservers "$DNSSERVER" \
   --foreman-proxy-dns true \
   --foreman-proxy-dns-forwarders "$DNSFORWARDERS" \
   --foreman-proxy-dns-interface $SATINTERFACE \
   --foreman-proxy-dns-zone "$DNSDOMAIN" \
   --foreman-proxy-dns-reverse "$DNSREVERSDOM" \
   --foreman-proxy-tftp true \
   --katello-proxy-url=http://proxy.coe.muc.redhat.com \
   --katello-proxy-port=3128 \
   --enable-foreman-plugin-openscap \
   --enable-foreman-proxy-plugin-openscap

I choose the satellite-installer cmd-line as seen in the satellite_setup.sh script.

It is wise to analyze the logs /var/log/katello-installer/…log and unfortunately i did not catch the admin credentials. Therefor i ran (also part of the script):

[mschreie@mschreie coe]$ foreman-rake permissions:reset
Reset to user: admin, password: FYdURRwgxAqbYD5N

and put the new credentials into /root/.hammer/cli_config.yml to use hammer without passing any credentials (also part of the script). To log in on Web-UI you need to look up the current password in /root/.hammer/cli_config.yml.

Note: I wanted to set the timezone but the timezone-module from ansible was not on my notebook…. It is now, but i did not update the script yet.

Checking what i did
I need to check that dhcp / dns are somehow what i expected:

[mschreie@mschreie coe]$ cat /etc/named.conf
[mschreie@mschreie coe]$ less /etc/named/options.conf
[mschreie@mschreie coe]$ cat /etc/zones.conf
[mschreie@mschreie coe]$ less /etc/dhcp/dhcpd.conf
 
[mschreie@mschreie coe]$ dig @localhost www.google.de
[mschreie@mschreie coe]$ dig @localhost mdschreier.coe.muc.redhat.com AXFR
[mschreie@mschreie coe]$ dig @localhost rhevm.coe.muc.redhat.com
[mschreie@mschreie coe]$ dig @localhost rhev.coe.muc.redhat.com

Manual tweaking

DNS records

I did the DNS changes inside the script already. Nothing to do here anymore.

DNS resolv.conf

same here – this is corrected through the script.

enable content in activation keys

As you know the activation key contains a content-view. All Repositories of the CV are available through the AK. But some Repositories default to “not enabled”. You can then enable them on the server with “subscription-manager repos” cmd. I prefere having them enabled per default.

I did not manage to get the right hammer-command in place yet.

The direction might be:

[root@msi-sat62 ~]# hammer activation-key list
[root@msi-sat62 ~]# hammer activation-key info --id 1  --organization "$ORG"  << you do not see the repositories here :-(
[root@msi-sat62 ~]# hammer activation-key product-content --id 1 --organization "$ORG"
-----|--------------------------------------------------------|------|-----|---------|----------------------------------------|---------
ID   | NAME                                                   | TYPE | URL | GPG KEY | LABEL                                  | ENABLED?
-----|--------------------------------------------------------|------|-----|---------|----------------------------------------|---------
4831 | Red Hat Satellite Tools 6.2 (for RHEL 7 Server) (RPMs) |      |     |         | rhel-7-server-satellite-tools-6.2-rpms | 1      
2455 | Red Hat Enterprise Linux 7 Server (Kickstart)          |      |     |         | rhel-7-server-kickstart                | default
2472 | Red Hat Enterprise Linux 7 Server - RH Common (RPMs)   |      |     |         | rhel-7-server-rh-common-rpms           | default
2456 | Red Hat Enterprise Linux 7 Server (RPMs)               |      |     |         | rhel-7-server-rpms                     | default
-----|--------------------------------------------------------|------|-----|---------|----------------------------------------|---------

[root@msi-sat62 ~]# hammer activation-key content-override --content-label rhel-7-server-rh-common-rpms --value 1 --id 1 --organization "$ORG"
Updated content override

FixMe: Needs to be automated and added in the script.

First Deployment

I created a VM via RHEVM-WebUI:

  • small
  • nic VLAN 101
  • 50 GB thin provisioned disk, bootable
  • Boot sequence: PXE, Hard Disk

I noted the mac adress: 00:1a:4a:7f:6a:38

And run

[root@msi-sat62 ~]# hammer host create --hostgroup "$HG1" \
   --name "msi-provisiontest1" --mac "00:1a:4a:7f:6a:38" \
   --root-password "redhat00" \
   --organization "${ORG}" --location "${LOC}"

Host created

This host deployed charmingly well.

Conclusion

We are now able to set up a Satellite Server 80% in an automated way. The result will be a Satellite 6.2 up and running and able to provision an existing server.

There are still quite some pitfalls and i believe all this needs quite some tweeking.

Update: I’m now working on an “Ansible only” solution to set up a Satellite Server but still hope the shell script might help you as well.